Native Implementation of WASIp1 in Wasmtime Affected by Resource Leak
CVE-2026-54786

2.3LOW

Key Information:

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-54786?

The Wasmtime runtime for WebAssembly is subject to a resource leak due to an issue in the native implementation of WASIp1. The vulnerability specifically lies within the fd_renumber function, where the renumbered file descriptor is not adequately closed, leading to resource exhaustion on the host side. This leak occurs because while the function appears to work correctly for the guest, it fails to update the host's underlying table of descriptors. As a result, when called repetitively, guests can deplete host resources, including file descriptors, unless properly mitigated. The vulnerability impacts versions of Wasmtime that allow file descriptor access via core wasm modules, making it imperative to update to the patched versions to ensure proper resource management.

Affected Version(s)

wasmtime < 24.0.10 < 24.0.10

wasmtime >= 25.0.0, < 36.0.11 < 25.0.0, 36.0.11

wasmtime >= 37.0.0, < 44.0.3 < 37.0.0, 44.0.3

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.